[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on Mandatory Ciphers and a Proposal

To: Jeff Williams <jwkckid1@xxxxxxxxxxxxx>
Subject: Re: Comments on Mandatory Ciphers and a Proposal
From: Keith Moore <moore@xxxxxxxxxx>
Date: Thu, 24 Jul 1997 14:37:40 -0400
Cc: Keith Moore <moore@xxxxxxxxxx>, ietf-tls@xxxxxxxxxxxxx, jis@xxxxxxx
Reply-to: <ietf-tls@xxxxxxxxxxxxx>

> > > >  There will surely be uses of TLS for
> > > > which 3DES isn't considered to be of sufficient strength, and there
> > > > may even be uses of TLS for which DES40 is considered adequate.  So
> > > > there's no problem with a particular application protocol using TLS as
> > > > a component, and specifying its own mandantory ciphersuites, and we
> > > > should expect this from time to time.
> > >
> > >   I agree.  However this argument does not support a requirnment for
> > > a MANDITORY cipher suite as part of the spec.
> > 
> > Nope.  It's okay for a feature to be a SHOULD if failure to implement
> > that feature doesn't compromise interoperability.
> 
>   That decision should be left up to those implimentors doint the 
> inplimentation.  

It *is* left up to the implementor.  But if the implementor doesn't
include the mandantory ciphersuites specified for that application,
then the implementation isn't compliant with the specification.
Period.

> > It's fine for the general TLS spec to have one set of mandantory
> > ciphersuites, to be used with most applications, and for any specific
> > application to have its own set of mandantory ciphersuites.  But in
> > either case there MUST be a mandantory ciphersuite for every
> > standards-track TLS-aware application.
> 
>   Why?

So that any two implementations that are written to conform to the
spec, will interoperate.  As long as this is not the case for TLS, 
the TLS specification is incomplete, and will not go forward on
the standards track.


> > If several TLS-aware applications run on a single host, they should be
> > able to share a single TLS library.  That TLS library needs to have
> > enough ciphersuites to support the minimum requirements of all those
> > applications.
> 
>   I agree.  Anain this does not predicate a MANDITORY cipher suite
> to be used for any application.

Every standards-track application protocol must be completely specified.  
If the application needs security, and uses TLS, there must be 
mandantory ciphersuites specified for that application.  The only 
question remaining is whether TLS itself needs to specify mandantory
ciphersuites, and allow an application protocol to simply reference
the mandantory ciphersuites chosen by TLS.

The IESG has determined that TLS does indeed need to specify 
mandantory ciphersuites, even though specific applications may
choose a different set.  

> > It's fine with me if the 40bit ciphersuites are in the "SHOULD
> > implement" category, as long as the DH/DSS/3DES ciphersuit is "MUST
> > implement".
> 
>   Not ture completly.  if you add the DH/DSS/3DES ciphersuite as one
> of the should impliment group, than the implimentor can decide depending
> on the needs which of the cipher suites (possibly multipul), to be 
> implimented or a selection wizard could be used for multipul
> applications to accomplish this gole without the need or requirnment 
> for a MANDITORY cipher suite to be implimented.

Nope.  That doesn't satisfy the interoperability requirement.

Keith

Prev by Date: Re: Comments on Mandatory Ciphers and a Proposal
Next by Date: Re: Comments on Mandatory Ciphers and a Proposal
Previous by thread: Re: Comments on Mandatory Ciphers and a Proposal
Next by thread: Re: Comments on Mandatory Ciphers and a Proposal
Index(es):
- Date
- Thread